Security Boulevard

via the inimitable Daniel Stori at Turnoff.US!

Permalink

The post Daniel Stori’s Turnoff.US: ‘git submodules adoption flows’ appeared first on Security Boulevard.

Grip Security today extended its portfolio of tools for securing software-as-a-service (SaaS) applications to provide an ability to proactively identify misconfigurations and enforce best cybersecurity practices.

The post Grip Security Adds SaaS Security Posture Management Offering appeared first on Security Boulevard.

Cybersecurity is often viewed from the point of view of practitioners, which is why the DevSecOps company Jit took a different tack on the subject — and asked developers about their views on application security (AppSec).

The post What developers think about application security might surprise you appeared first on Security Boulevard.

Cybersecurity firm Sophos closed its $859 million acquisition of Secureworks earlier this month and soon after cut 6% of the combined company's workforce, with many of job losses related to either overlapping positions created by the deal or roles that were no longer needed after Secureworks delisted as a public company.

The post Sophos Sheds 6% of Employees After Closing Secureworks Deal appeared first on Security Boulevard.

This is Part 2 of our two-part technical analysis on Xloader versions 6 and 7. For details on how Xloader conceals its critical code and data, go to Part 1.IntroductionIn Part 2 of this blog series, we examine how Xloader obfuscates the command-and-control (C2) code and data to complicate analysis. We will also delve into the network communication protocol for the latest versions of Xloader with multi-layer encryption and fake servers to evade detection.Key TakewaysXloader versions 6 and 7 use advanced obfuscation techniques to mask critical parts of code and data.The malware continues to utilize hardcoded decoy lists to blend real C2 network communications in with traffic to legitimate websites.The decoy lists and the real C2 server are encrypted using different keys and algorithms.Xloader versions 6 and 7 use the same network protocol and are protected by multiple layers of encryption.Technical AnalysisC2 decryption Decoy C2 serversXloader shares many characteristics as Formbook, its predecessor, including the use of a decoy C2 list and a real C2 server, which are encrypted differently and stored separately within the binary. The purpose of the decoys is to generate network traffic to legitimate domains to disguise real C2 traffic. This approach has been used by other malware families in the past such as Pushdo. Note that the so-called decoy list can also include actual C2 servers, but for simplicity, we'll continue to refer to these as the "decoy list" and "real" C2 server in this blog, since the former still primarily contains legitimate domains.The figure below shows a high-level description of the process that Xloader uses to decrypt the decoy C2s.Figure 1: The functions that decrypt the decoy C2 servers in Xloader 6.2.The Xloader decoy C2s are encrypted with three layers. The keys needed for decryption are generated by various functions within the malware code and are stored in global configuration structures as described below.The first decryption key for the decoy C2 is constructed dynamically by one of the encrypted NOPUSHEBP functions. Five DWORDs are combined to construct an initial 20-byte seed. This seed is then XOR’ed with a hardcoded DWORD XOR key and an additional hardcoded 1-byte XOR key. The resulting 20-byte key is stored in the global configuration structure.Similarly, the second key of the decoy C2 is generated by another encrypted NOPUSHEBP function. Once again, 5 DWORDs are initialized on the stack and XOR’ed with a DWORD XOR key retrieved from the global configuration structure. This DWORD XOR key was previously calculated and stored in the global configuration structure by another function.The list of decoy C2s is stored among the encrypted strings with indexes that typically range from 1 to 63 (inclusive). Another function implements the process to retrieve and decrypt a specific decoy C2 server based on its index using Xloader’s standard string encryption algorithm that we described in Part 1 of this blog series. The result of removing this first layer is the encrypted second layer, which is a Base64 encoded string.The second layer is Base64 decoded and decrypted with Xloader’s RC4 and subtraction algorithm using the first key XOR’ed with the index of the decoy C2. The third and final layer uses Xloader’s RC4 and subtraction algorithm using the second key.Below is a Python implementation of Xloader’s decoy C2 decryption algorithm:# Get the necessary seeds and xor keys from the binary
rc4_key_1_seed = get_rc4_key_1_seed()
rc4_key_1_xor = get_rc4_key_1_xor()
rc4_key_2_seed = get_rc4_key_2_seed()
rc4_key_2_xor = get_rc4_key_2_xor()

# Calculate final keys
decoy_C2s_key_1 = xor(rc4_key_1_seed, rc4_key_1_xor)
decoy_C2s_key_2 = xor(rc4_key_2_seed, rc4_key_2_xor)

# Decrypt the decoy C2
enc_C2 = decrypt_encrypted_string_by_index(target_C2_index)
b64dec = base64.b64decode(enc_C2)
key1 = xor(decoy_C2s_key_1, target_C2_index)
dec = rc4_sub(b64dec, key1)
decrypted_c2 = rc4_sub(dec, decoy_C2s_key_2)Legitimate C2 serversFollowing the C2 decoy list, is another encrypted string located at index 64. This encrypted string contains the real Xloader C2, which is decrypted using a similar algorithm but with different keys. First, the encrypted string at index 64 is retrieved and decrypted. After decryption, the result is Base64 decoded, and a new key is dynamically built as follows:A 20-byte seed is constructed.This seed is XOR’ed with a hardcoded 1-byte XOR key.The seed is then XOR’ed with a hardcoded DWORD XOR key.Finally, the seed is XOR’ed with another hardcoded 1-byte XOR key.The resulting 20-byte key is then used to decrypt the first encryption layer of the real C2 using RC4 and subtraction.The next encryption layer of the real C2 is decrypted using another function: A 20-byte seed is constructed. This seed is then XOR’ed with a hardcoded 1-byte XOR key. The resulting key is used to decrypt the final RC4 and subtraction layer of the real C2.Below is a Python implementation for decrypting Xloader’s real C2:# Get the necessary seeds and xor keys from the binary
rc4_key_1_seed = get_rc4_key_1_seed()
rc4_key_1_xor1byte = get_rc4_key_1_xor1byte()
rc4_key_1_xor4bytes = get_rc4_key_1_xor4bytes()
rc4_key_2_seed = get_rc4_key_2_seed()
rc4_key_2_xor = get_rc4_key_2_xor()

# Calculate the final keys
real_C2_key = xor(rc4_key_1_seed, rc4_key_1_xor1byte)
real_C2_key = xor(real_C2_key, rc4_key_1_xor4bytes)
real_C2_key_2 = xor(rc4_key_2_seed, rc4_key_2_xor)

# Decrypt the real C2
string_64 = decrypt_encrypted_string_by_index(64)
b64dec = base64.b64decode(string_64)
dec = rc4_sub(b64dec, real_C2_key)
dec = rc4_sub(dec, real_C2_key_2)
if dec.startswith(b'www'):
return dec.decode()Note that all of the real C2 servers observed by ThreatLabz (after decryption) start with a www subdomain. In contrast, the decoy C2 servers embedded in the malware do not start with a www subdomain, but that prefix is added by Xloader prior to establishing network communications.C2 URL pathIn Xloader versions 6 and earlier, the real C2 string included a domain and a path. However, each decoy C2 string only consisted of a domain. Therefore, Xloader appended the real C2’s path to each decoy domain prior to generating network traffic.In Xloader version 7.5, each decoy C2 and real C2 has its own URL path, and the decryption function now includes an additional argument to return either the domain or the path of the decrypted C2 server. This process uses a 20-byte key combined with the C2’s index to decrypt each 4 character C2 path via Xloader’s RC4 and subtraction algorithm.Network protocolWe previously described Xloader’s network protocol and a new encryption layer that was added to the malware’s registration packet. In Xloader 4.3, we discovered that there was a bug that caused the registration packet to be truncated because of the improper placement of a NULL character. However, this issue has since been resolved in version 6, with the packet now formatted correctly.ConclusionXloader continues to pose a significant threat to organizations with its powerful information stealing and second-stage downloader capabilities, combined with numerous techniques to evade host and network-based detection. The malware author continuously updates and refines the code to complicate automated and manual analysis. Versions 6 and 7 of Xloader add new multi-layer encryption algorithms and dynamic key generation to hinder static signatures and make reverse engineering efforts more tedious.Zscaler CoverageZscaler's multilayered cloud security platform detects Xloader and Formbook, as well as various other types of cyberthreats, at multiple levels, as shown below:Win32.PWS.XloaderWin32.PWS.FormbookFigure 2: Zscaler Cloud Sandbox report for Xloader.Indicators Of Compromise (IOCs)SampleVariantVersion66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9Xloader6.288909cd27a422da91a651e87f493d16beff1f0e03adcc035f2835a2a25e871e7Xloader6.24ad101eef336dc2467ffaf584b272aa82f26711bfba4e2e29e8ad7c6d62bc6aeXloader7.5362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9Xloader7.5b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212becaXloader7.5Network indicators C2C2 Typewww.iwin[.]exposed/ir6g/Real C2www.everycreation[.]shop/nsev/Real C2www.ok2yu[.]us/ir6g/www.zwetststuren[.]cfd/ir6g/www.fraternize[.]org/ir6g/www.mc9uh8d70[.]site/ir6g/www.scwspark[.]com/ir6g/www.royalkredit[.]online/ir6g/www.bkexclusivecars[.]net/ir6g/www.moncoop[.]coop/ir6g/www.tehranrizcomputer[.]com/ir6g/www.sazekents[.]cfd/ir6g/www.xediedie[.]icu/ir6g/www.eeja[.]uk/ir6g/www.mscfoundation[.]info/ir6g/www.brighterhomesdecor[.]com/ir6g/www.efidence[.]com/ir6g/www.tk254kr6rwr7mjtru[.]com/ir6g/www.haycoches[.]com/ir6g/www.electra-airways[.]info/ir6g/www.happiluv[.]com/ir6g/www.goog1evip15[.]com/ir6g/www.womenscalshion[.]com/ir6g/www.lenaguillemette[.]com/ir6g/www.jamesgadzikmd[.]com/ir6g/www.kavanzi[.]com/ir6g/www.tupinkeept[.]cfd/ir6g/www.portfutures[.]asia/ir6g/www.cgm-logistics[.]org/ir6g/www.dutch-wildlife[.]shop/ir6g/www.dsisarl[.]com/ir6g/www.haftplicht[.]com/ir6g/www.roundhaygardenscene[.]com/ir6g/www.alace5[.]com/ir6g/www.sathyfe[.]com/ir6g/www.electronicraw[.]com/ir6g/www.earn50k[.]com/ir6g/www.arasymimbi[.]com/ir6g/www.lriz[.]site/ir6g/www.pinnaclebyte[.]info/ir6g/www.avolci[.]com/ir6g/www.am8pw[.]us/ir6g/www.projectimprov[.]com/ir6g/www.energeticfranchise[.]top/ir6g/www.devocionmusic[.]com/ir6g/www.markthing[.]site/ir6g/www.myhosting[.]co[.]in/ir6g/www.solar-windturbine[.]life/ir6g/www.flusznwrldwide[.]com/ir6g/www.lifedrawingbristol[.]co[.]uk/ir6g/www.weberze[.]com/ir6g/www.getmylinks[.]cc/ir6g/www.aspasskeoffice[.]homes/ir6g/www.uxzl[.]site/ir6g/www.carpmaxxbait[.]online/ir6g/www.dumpstedoctorca[.]com/ir6g/www.revelationfithub[.]com/ir6g/www.cuffbow[.]com/ir6g/www.hk9[.]xyz/ir6g/www.lollybowly[.]com/ir6g/www.aarunifoodcrafters[.]com/ir6g/www.jarvisandbrown[.]com/ir6g/www.gattosat[.]icu/ir6g/www.xfgqbh[.]site/ir6g/www.mag-flex[.]com/ir6g/www.trisixnine[.]net/0057/www.softillery[.]info/cyhg/www.easestore[.]shop/qflp/www.yu35n[.]top/kejj/www.yourhomecopilot[.]online/gctn/www.fastr[.]live/gsjn/www.dto20[.]shop/efvy/www.aromavida[.]net/4rlw/www.crochetpets[.]online/vand/www.queima[.]shop/mdoj/www.nojamaica[.]net/g7eq/www.komart[.]shop/b2t1/www.livemarkat[.]live/8h0p/www.d27dm[.]top/ptbb/www.rtpgaruda888resmi[.]xyz/u8o7/www.chalet-tofane[.]net/3bhs/www.platinumkitchens[.]info/dquo/www.eslameldaramlly[.]site/nlx0/www.theproselytizer[.]net/od1n/www.amitayush[.]digital/93j5/www.030002304[.]xyz/d7z8/www.aaavvejibej[.]bond/lh0g/www.useanecdotenow[.]tech/vera/www.bayarcepat19[.]click/q1x3/www.bluegirls[.]blog/g1ze/www.wdeb18[.]top/kv48/www.weatherbook[.]live/tfj4/www.pachuco[.]supply/7gdu/www.childlesscatlady[.]today/2kmz/www.kabaribukota[.]press/nr90/www.federall[.]store/afqz/www.inf30027group23[.]xyz/xzfm/www.allthingsjasmin[.]com/pbmf/www.ntn[.]solar/fcmy/www.torex33[.]online/pvct/www.resumeyourway[.]info/vn92/www.kx507981[.]shop/q3r9/www.ohio-adr[.]net/j0y4/www.serverplay[.]live/6b8s/www.meg21c[.]top/3jg0/www.rockbull[.]pro/0tt2/www.trapkitten[.]website/y6hh/www.44ddw[.]top/3e3b/www.ngmr[.]xyz/4muf/www.sansensors[.]info/ip84/www.allsolar[.]xyz/cph9/www.bismarckrecovery[.]com/kp5k/www.vegastinyhomes[.]net/f2tm/www.airbatchnow[.]online/ekgk/www.huemanstudio[.]today/0ob6/www.rtpngk[.]xyz/yd3l/www.mechecker[.]life/b6h1/www.lojashelp[.]video/ao78/www.tracy[.]club/rwcg/www.limitlesssky[.]org/50p5/www.luismoreno[.]monster/06xo/www.dhkatp[.]vip/4qrw/www.hentaistgma[.]net/j6o1/www.promasterev[.]shop/zjp0/www.pethut[.]shop/wrhe/www.polarmuseum[.]info/m8hf/www.greekhause[.]org/tn42/www.wdcb30[.]top/s7v2/Decoy C2

The post Technical Analysis of Xloader Versions 6 and 7 | Part 2 appeared first on Security Boulevard.

The life of a Security Operations Center (SOC) analyst is often compared to navigating a vast and dangerous ocean. While tools like Intrusion Detection Systems (IDS), Cloud-Native Application Protection Platforms (CNAPP), and Endpoint Detection and Response (EDR) provide visibility into many attack vectors, a critical blindspot remains: the application layer. This gap leaves SOC teams feeling like they're sailing blindfolded, vulnerable to unseen threats lurking beneath the surface. 

The post Application Detection and Response (ADR) Gives the SOC Deep Visibility into the Application Layer | Contrast Security appeared first on Security Boulevard.

Dive into the world of AI agent authentication, where cutting-edge security meets autonomous systems. Discover how delegation tokens, real-time verification, and multi-layer security protocols work together to ensure safe and private AI operations while maintaining operational efficiency.

The post The Future of AI Agent Authentication: Ensuring Security and Privacy in Autonomous Systems appeared first on Security Boulevard.

When threat actors get their hands on legitimate corporate credentials, it makes blocking unauthorized intrusions far more challenging. Yet that’s exactly what’s happening across the globe, thanks to the growing popularity of infostealer malware. The result is to feed the criminal supply chain with stolen data—fuelling follow-on fraud for customers and major financial and reputational damage for breached organizations.

The post How Infostealers Are Creating a Data Breach Epidemic appeared first on Security Boulevard.

Palo Alto Networks today launched its Cortex Cloud platform to integrate the company’s cloud-native application protection platform (CNAPP) known as Prisma Cloud into a platform that provides a wider range of cloud security capabilities.

The post Palo Alto Networks Unifies Cloud Security Portfolio appeared first on Security Boulevard.

TVM Ventures has selected Trail of Bits as its preferred security partner to strengthen the TON developer ecosystem. Through this partnership, we’ll lead the development of DeFi protocol standards and provide comprehensive security services to contest-winning projects deploying on TON. TVM Ventures will host ongoing developer contests where teams can showcase innovative applications that advance […]

The post We’re partnering to strengthen TON’s DeFi ecosystem appeared first on Security Boulevard.

Grip SSPM enhances SaaS security by automating misconfiguration fixes, engaging app owners, and unifying risk management for a smarter, proactive defense.

The post Grip SSPM: Next Evolution in SaaS Identity Risk Management appeared first on Security Boulevard.

SaaS security posture management and identity risk are deeply connected. Learn how to unify visibility, automation, and control to protect your SaaS ecosystem.

The post SaaS Security: Connecting Posture Management & Identity Risk appeared first on Security Boulevard.

Threat researchers with Google are saying that the lines between nation-state actors and cybercrime groups are blurring, noting that gangs backed by China, Russia, and others are using financially motivated hackers and their tools while attacks by cybercriminals should be seen as national security threats.

The post Lines Between Nation-State and Cybercrime Groups Disappearing: Google appeared first on Security Boulevard.

Authors/Presenters: Bryson Bort, Tom VanNorman

-

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – ICS 101 appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Incoming Asteroid’ appeared first on Security Boulevard.

As Valentine’s Day approaches, cybercriminals are ramping up their efforts to exploit consumers through romance scams, phishing campaigns and fraudulent e-commerce offers.

The post Cybercriminals Exploit Valentine’s Day with Romance Scams, Phishing Attacks appeared first on Security Boulevard.

Check Point Software Technologies and cloud security provider Wiz are teaming up to enhance cloud security for enterprises by integrating cloud network protection with Cloud Native Application Protection (CNAPP).

The post Check Point, Wiz Partner on Enterprise Cloud Security appeared first on Security Boulevard.

Eric Gan, the ex-SoftBank executive, who took over as CEO of Cybereason in 2023, is suing SoftBank and Liberty Capital, claiming its largest investors are blocking much-needed financial proposals and driving the cybersecurity firm toward bankruptcy.

The post Cybereason CEO: Mnuchin, SoftBank Pushing Company To Bankruptcy appeared first on Security Boulevard.

Artificial intelligence (AI) is profoundly transforming cybersecurity, reimagining detection through remediation.

The post The Current AI Revolution Will (Finally) Transform Your SOC appeared first on Security Boulevard.

Authors/Presenters: Diego Jurado & Joel Niemand Sec Noguera

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Leveraging AI For Smarter Bug Bounties appeared first on Security Boulevard.